An encryption primer: Don’t wait

Encryption became a hot topic in the news in the past month. The United Kingdom, Sweden, France and the EU are considering requiring “back doors” to encryption protections. The “Signalgate” scandal in Washington, DC started most people asking, “What is this encryption stuff?” So we decided to provide a primer on the state of encryption today.

While the technology behind encryption is complex, it is not new. The basic algorithms have been with us for decades, silently running on devices and servers, invisible to the user. The purpose is basic: to keep data safe from prying eyes, like criminals and nation states.

Encryption is also a good way of saving money and not just in avoiding ransoms. Insurance companies often offer up to 15% premium discounts to businesses demonstrating strong security practices, including proper data encryption. Encryption significantly reduces the risk of data breaches and their associated costs.

Three stages of encryption

The process of encryption has three stages. First is data in motion. That’s when you send or receive data. Second is data at rest, which is when you store data. Third is data in use, when you are creating new data, like when this article is being written. That last part is problematic and has yet to be incorporated widely, but more on that later.

The first process, in motion, is pretty well resolved. According to Google, 95 percent of all data in motion is encrypted. That means pretty much everything you send or receive has been made safe. That’s the White House argument regarding the use of Signal to discuss the attack on Houthi camps in Yemen. “It’s an encrypted messaging app!” Well, yes, the data you send is encrypted, until it lands on your digital device. Then it is unencrypted and stored for you to read it. That’s the second process, data at rest, and it is not that secure.

The problem of data at rest

In 2023, Thales said only 45 percent of data at rest is encrypted. Encryption, as a technology, has been perfected and in use for decades. One might wonder why everything in every major server isn’t encrypted. The problem is that regulations requiring encryption of data are not too clear.

In regards to personal heal data, the HIPAA the regulation is generally interpreted that data at rest should be encrypted, but it does not explicitly mandate it. And that is also true for a lot of security regulations, including the EU’s GDPR and California’s CCPA/CPRA. Financial systems regulations do spell it out, like the Payment Card Industry, as well as US federal systems and education. But that leaves a lot of data unprotected and gives companies an out when things go bad.

See no evil

Oracle is a big company that tends to acquire other companies, especially those who were Oracle customers. Some of those acquired companies, apparently, don’t encrypt their data at rest and in March 2025, a breach was reported on Oracle servers, including Oracle Health. The data was stored on older acquired servers that were being migrated to more secure servers in the Oracle system. But not in time.

At first Oracle claimed they knew nothing of a breach, basically because they used a “see no evil” approach to data security, according to Ian Thornton Trump, CISO for managed security service provider Inversion6.

“It’s a new and innovative legal defense to suggest If we don’t believe we have had a security incident, then we don’t really need to report it, right? Good luck with that defense when the inevitable class action occurs,” he said. After Thornton-Trump talked with Cyber Protection Magazine, Oracle did admit the breach had happened, but for the purpose of defending against the class-action suit that was filed, again claimed it was not to their newer servers. Oracle, however, is not the only company with its head in the sand.

A long road to full encryption

In the past two years, 90 percent of all stored data was created, according to Alexandra Borgeaud, an analyst for Statista, most of which should be encrypted. However Borgeaud also said that 40 percent of corporations reporting the state of data-at-rest said that only 21-40 percent of their data was encrypted last year. That indicates we have a long way to go before we solve the issue of secure data.

Cyber Protection Magazine has talked to more than 100 companies in the past two years that are dedicated to encrypting data in motion and data at rest. It is big business and there is no one leader in any of it that we can see in terms of revenue or technology. All of them claim to be profitable, so being first doesn’t really mean a whole lot, but it doesn’t make it easy for customers to make an informed choice. The best advice we can offer is to just pick a provider and hope for the best. Whatever the choice is will improve current security if you haven’t had a provider before.

However, once the choice is made that doesn’t solve the problem of data in use. That is the realm of a largely new security sector with the mouthful of a title: Fully Homomorphic Encryption (FHE).

Very simply, FHE encrypts data while a user is working on it, making it undecipherable even if a malicious actor has managed to infiltrate a network. Sounds pretty neat, but there are a couple of problems.

Slow and massive

First, encrypting data while in use slows down the computing time. Second, decrypting the data for use slows down computing time. Third encrypting data always tends to increase the amount of data making storage more expensive, especially using cloud storage. That limits what applications can actually use FHE. We count more than 20 companies engaged in FHE technology fighting for a very small amount of potential customers with limited budgets. One company we’ve talked to may have resolved all of those problems.

Datakrypto is a four-year-old start up that literally stumbled across their FHE solution while working on another problem, according to founder and CTO Luigi Caramico.

“Most FHE technology is impractical,” he explained, “It slows compute time and increases data by a factor of 100,000. That would be like going to an ATM and having to wait five hours to get your money out.”

Caramico claims their technology does increase the amount of data by about a factor of 1.5 or less, depending on how the customer wants to configure it, and increases latency by a few milliseconds.

Q-day panic

One factor the limits the adoption of encryption at any level is the fear regarding “Q-day”. This is the moment when a quantum computer is manufactured, powerful enough to decrypt the most complex encryption in use today. Post quantum computing (PQC) is an industry sector dedicated to producing a new encryption standard that cannot be broken by quantum computers. FHE is related to this industry because it calls itself “quantum resistant.”

Caramico dismisses that term, simply because he discounts the danger of quantum computing. “No one knows what quantum computing can do to encryption because no one has ever made a quantum computer powerful enough to accomplish the task.” He has a point. Here are some hard numbers.

The cost of quantum

A supercomputer, runs on 30 MWh or power. The most powerful quantum computer today capable of matching or exceeding the performance of a supercomputer consumes only 10-25 kWh. That alone justifies the investment in quantum.

However, the current cost per qbit, the measurement of compute power for quantum, is $10,000. The most powerful quantum computer in the world is around 1,100 qbits. To decrypt a single document requires a quantum computer with 20 million qbits. That makes the cost of the proposed system $200 billion.

The power that computer would consume is more than 125MW, but it also emits a tremendous amount of heat. That requires a cooling system keeping the facility at near absolute zero during operational hours. Such a facility needs an enormous continuous source of power, probably in the form of a nuclear power plant. That would $1.35 billion to the project total.

With this kind of cost and infrastructure is beyond the reach of ransomware gangs. It will have to be taken on by a nation-state with deep pockets. Even with all this, it would take that computer 8 hours to decrypt a single document. That makes it difficult to see an effective quantum computer capable of creating Q-Day, in our lifetimes.

That’s why we recommend ignoring the fear, uncertainty, and doubt and just get to work encrypting all that data now.